BUG: unable to handle kernel NULL pointer dereference in hfs_find_init

From: Hui Guo
Date: Sat Oct 12 2024 - 22:28:06 EST


Hi Kernel Maintainers,
we found a crash "BUG: unable to handle kernel NULL pointer
dereference in hfs_find_init" (it seems a KASAN and make the kernel
reboot) in upstream, we have successfully reproduced it manually:


HEAD Commit: 9852d85ec9d492ebef56dc5f229416c925758edc(tag 'v6.12-rc1')
kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/6.12.config


repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/0f99fb17356ecba84aa11ff7892598348ab4a96b/repro.report
console output:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/0f99fb17356ecba84aa11ff7892598348ab4a96b/log0
syz reproducer:
https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/0f99fb17356ecba84aa11ff7892598348ab4a96b/repro.prog
c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/main/9852d85ec9d492ebef56dc5f229416c925758edc/0f99fb17356ecba84aa11ff7892598348ab4a96b/repro.cprog


Please let me know if there is anything I can help.
Best,
Hui Guo

This is the crash log I got by reproducing the bug based on the above
environment,
I have piped this log through decode_stacktrace.sh for better
understand the cause of the bug.
================================================================================
root@syzkaller:~# ./syz-execprog
/data/ghui/docker_data/workdir/upstream/ghui_syzkaller_upstream_linux_v6.11_2_upstream/crashes/0f99fb17356ecba84aa11ff7892598348ab4a96b/repro.pg
2024/10/13 02:13:14 parsed 1 programs
[ 1715.063040][T13595] Adding 124996k swap on ./swap-file. Priority:0
extents:1 across:124996k
[ 1715.956030][T13626] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1
[ 1715.957157][T13626] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9
[ 1715.958207][T13626] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9
[ 1715.959567][T13626] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4
[ 1715.960644][T13626] Bluetooth: hci0: unexpected cc 0x0c25 length: 249 > 3
[ 1715.964767][T13626] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2
[ 1716.015110][T13760] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 1716.016184][T13760] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 1716.031523][T13561] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 1716.032577][T13561] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 1716.035527][T13625] chnl_net:caif_netlink_parms(): no params data found
[ 1716.061284][T13625] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1716.062217][T13625] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1716.063172][T13625] bridge_slave_0: entered allmulticast mode
[ 1716.064077][T13625] bridge_slave_0: entered promiscuous mode
[ 1716.065092][T13625] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1716.066018][T13625] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1716.066969][T13625] bridge_slave_1: entered allmulticast mode
[ 1716.067872][T13625] bridge_slave_1: entered promiscuous mode
[ 1716.073685][T13625] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 1716.075269][T13625] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 1716.083754][T13625] team0: Port device team_slave_0 added
[ 1716.084756][T13625] team0: Port device team_slave_1 added
[ 1716.090299][T13625] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1716.091177][T13625] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 1716.094348][T13625] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 1716.095772][T13625] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1716.096636][T13625] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 1716.099888][T13625] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 1716.110722][T13625] hsr_slave_0: entered promiscuous mode
[ 1716.112226][T13625] hsr_slave_1: entered promiscuous mode
[ 1716.126167][T13625] netdevsim netdevsim10 netdevsim0: renamed from eth0
[ 1716.127484][T13625] netdevsim netdevsim10 netdevsim1: renamed from eth1
[ 1716.128745][T13625] netdevsim netdevsim10 netdevsim2: renamed from eth2
[ 1716.130133][T13625] netdevsim netdevsim10 netdevsim3: renamed from eth3
[ 1716.135631][T13625] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1716.136556][T13625] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1716.137500][T13625] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1716.138429][T13625] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1716.144506][T13625] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1716.146837][T13886] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1716.148752][T13886] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1716.151564][T13625] 8021q: adding VLAN 0 to HW filter on device team0
[ 1716.153279][T13886] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1716.154090][T13886] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1716.156241][T13886] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1716.157869][T13886] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1716.181717][T13625] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1716.209621][T13625] veth0_vlan: entered promiscuous mode
[ 1716.211036][T13625] veth1_vlan: entered promiscuous mode
[ 1716.214231][T13625] veth0_macvtap: entered promiscuous mode
[ 1716.215195][T13625] veth1_macvtap: entered promiscuous mode
[ 1716.217047][T13625] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1716.218971][T13625] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1716.220345][T13625] netdevsim netdevsim10 netdevsim0: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1716.221464][T13625] netdevsim netdevsim10 netdevsim1: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1716.222545][T13625] netdevsim netdevsim10 netdevsim2: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1716.223534][T13625] netdevsim netdevsim10 netdevsim3: set [1, 0]
type 2 family 0 port 6081 - 0
2024/10/13 02:13:18 executed programs: 0
[ 1716.322303][ T4649] Bluetooth: hci1: unexpected cc 0x0c03 length: 249 > 1
[ 1716.324231][ T4649] Bluetooth: hci1: unexpected cc 0x1003 length: 249 > 9
[ 1716.325959][ T4649] Bluetooth: hci1: unexpected cc 0x1001 length: 249 > 9
[ 1716.327813][ T4649] Bluetooth: hci1: unexpected cc 0x0c23 length: 249 > 4
[ 1716.329786][ T4649] Bluetooth: hci1: unexpected cc 0x0c25 length: 249 > 3
[ 1716.331450][ T4649] Bluetooth: hci1: unexpected cc 0x0c38 length: 249 > 2
[ 1716.353232][T15016] chnl_net:caif_netlink_parms(): no params data found
[ 1716.373312][T15016] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1716.374266][T15016] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1716.375198][T15016] bridge_slave_0: entered allmulticast mode
[ 1716.376084][T15016] bridge_slave_0: entered promiscuous mode
[ 1716.377121][T15016] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1716.378028][T15016] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1716.378991][T15016] bridge_slave_1: entered allmulticast mode
[ 1716.379866][T15016] bridge_slave_1: entered promiscuous mode
[ 1716.385833][T15016] bond0: (slave bond_slave_0): Enslaving as an
active interface with an up link
[ 1716.387930][T15016] bond0: (slave bond_slave_1): Enslaving as an
active interface with an up link
[ 1716.396402][T15016] team0: Port device team_slave_0 added
[ 1716.398172][T15016] team0: Port device team_slave_1 added
[ 1716.406211][T15016] batman_adv: batadv0: Adding interface: batadv_slave_0
[ 1716.407768][T15016] batman_adv: batadv0: The MTU of interface
batadv_slave_0 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 1716.413399][T15016] batman_adv: batadv0: Not using interface
batadv_slave_0 (retrying later): interface not active
[ 1716.415633][T15016] batman_adv: batadv0: Adding interface: batadv_slave_1
[ 1716.416987][T15016] batman_adv: batadv0: The MTU of interface
batadv_slave_1 is too small (1500) to handle the transport of
batman-adv packets. Packets going over this inter.
[ 1716.420758][T15016] batman_adv: batadv0: Not using interface
batadv_slave_1 (retrying later): interface not active
[ 1716.426564][T15016] hsr_slave_0: entered promiscuous mode
[ 1716.427371][T15016] hsr_slave_1: entered promiscuous mode
[ 1716.428140][T15016] debugfs: Directory 'hsr0' with parent 'hsr'
already present!
[ 1716.429138][T15016] Cannot create hsr debugfs directory
[ 1716.953119][T15016] netdevsim netdevsim0 netdevsim0: renamed from eth0
[ 1716.955519][T15016] netdevsim netdevsim0 netdevsim1: renamed from eth1
[ 1716.957883][T15016] netdevsim netdevsim0 netdevsim2: renamed from eth2
[ 1716.960421][T15016] netdevsim netdevsim0 netdevsim3: renamed from eth3
[ 1716.968025][T15016] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1716.970004][T15016] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1716.971838][T15016] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1716.973583][T15016] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1716.980663][T15016] 8021q: adding VLAN 0 to HW filter on device bond0
[ 1716.983042][T15751] bridge0: port 1(bridge_slave_0) entered disabled state
[ 1716.985009][T15751] bridge0: port 2(bridge_slave_1) entered disabled state
[ 1716.988364][T15016] 8021q: adding VLAN 0 to HW filter on device team0
[ 1716.990438][T13561] bridge0: port 1(bridge_slave_0) entered blocking state
[ 1716.991352][T13561] bridge0: port 1(bridge_slave_0) entered forwarding state
[ 1716.993024][T13561] bridge0: port 2(bridge_slave_1) entered blocking state
[ 1716.993948][T13561] bridge0: port 2(bridge_slave_1) entered forwarding state
[ 1717.016034][T15016] 8021q: adding VLAN 0 to HW filter on device batadv0
[ 1717.021142][T15016] veth0_vlan: entered promiscuous mode
[ 1717.022564][T15016] veth1_vlan: entered promiscuous mode
[ 1717.025807][T15016] veth0_macvtap: entered promiscuous mode
[ 1717.026960][T15016] veth1_macvtap: entered promiscuous mode
[ 1717.028902][T15016] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3e) already exists on: batadv_slave_0
[ 1717.030270][T15016] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 1717.031702][T15016] batman_adv: batadv0: Interface activated: batadv_slave_0
[ 1717.033580][T15016] batman_adv: The newly added mac address
(aa:aa:aa:aa:aa:3f) already exists on: batadv_slave_1
[ 1717.034932][T15016] batman_adv: It is strongly recommended to keep
mac addresses unique to avoid problems!
[ 1717.036334][T15016] batman_adv: batadv0: Interface activated: batadv_slave_1
[ 1717.037905][T15016] netdevsim netdevsim0 netdevsim0: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1717.039133][T15016] netdevsim netdevsim0 netdevsim1: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1717.040277][T15016] netdevsim netdevsim0 netdevsim2: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1717.041440][T15016] netdevsim netdevsim0 netdevsim3: set [1, 0]
type 2 family 0 port 6081 - 0
[ 1717.116220][T13760] wlan0: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 1717.117190][T13760] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 1717.119939][T15751] wlan1: Created IBSS using preconfigured BSSID
50:50:50:50:50:50
[ 1717.121966][T15751] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50
[ 1717.128890][T16063] loop0: detected capacity change from 0 to 64
[ 1717.130222][T16063] BUG: kernel NULL pointer dereference, address:
0000000000000040
[ 1717.131287][T16063] #PF: supervisor read access in kernel mode
[ 1717.132067][T16063] #PF: error_code(0x0000) - not-present page
[ 1717.132844][T16063] PGD 129e5a067 P4D 129e5a067 PUD 1199de067 PMD 0
[ 1717.133700][T16063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 1717.134454][T16063] CPU: 4 UID: 0 PID: 16063 Comm: syz.0.15 Not
tainted 6.12.0-rc1 #5
[ 1717.135494][T16063] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.15.0-1 04/01/2014
[1717.136709][T16063] RIP: 0010:hfs_find_init
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/bfind.c:21)
[ 1717.137407][T16063] Code: 0f 1f 00 55 48 89 e5 41 55 41 54 49 89 f4
53 48 89 fb e8 58 43 9f ff 49 89 5c 24 10 be c0 0c 00 00 49 c7 44 24
18 00 00 00 00 <8b> 43 40 8d 7c 00 09
All code
========
0: 0f 1f 00 nopl (%rax)
3: 55 push %rbp
4: 48 89 e5 mov %rsp,%rbp
7: 41 55 push %r13
9: 41 54 push %r12
b: 49 89 f4 mov %rsi,%r12
e: 53 push %rbx
f: 48 89 fb mov %rdi,%rbx
12: e8 58 43 9f ff call 0xffffffffff9f436f
17: 49 89 5c 24 10 mov %rbx,0x10(%r12)
1c: be c0 0c 00 00 mov $0xcc0,%esi
21: 49 c7 44 24 18 00 00 movq $0x0,0x18(%r12)
28: 00 00
2a:* 8b 43 40 mov 0x40(%rbx),%eax <-- trapping instruction
2d: 8d 7c 00 09 lea 0x9(%rax,%rax,1),%edi

Code starting with the faulting instruction
===========================================
0: 8b 43 40 mov 0x40(%rbx),%eax
3: 8d 7c 00 09 lea 0x9(%rax,%rax,1),%edi
[ 1717.140059][T16063] RSP: 0018:ffff888125713978 EFLAGS: 00010293
[ 1717.141068][T16063] RAX: 0000000000000000 RBX: 0000000000000000
RCX: ffffffff81960dd1
[ 1717.142279][T16063] RDX: ffff888109814ec0 RSI: 0000000000000cc0
RDI: 0000000000000000
[ 1717.143481][T16063] RBP: ffff888125713990 R08: ffff888125713988
R09: 0000000000000000
[ 1717.144689][T16063] R10: 0000000000000000 R11: 0000000000000000
R12: ffff8881257139a8
[ 1717.145864][T16063] R13: 0000000000000000 R14: 0000000000000000
R15: 0000000000000004
[ 1717.147100][T16063] FS: 00007fe8154fd640(0000)
GS:ffff88813bb00000(0000) knlGS:0000000000000000
[ 1717.148462][T16063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1717.149538][T16063] CR2: 0000000000000040 CR3: 000000011a2a2000
CR4: 00000000000006f0
[ 1717.150744][T16063] Call Trace:
[ 1717.151241][T16063] <TASK>
[1717.151699][T16063] ? show_regs
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:479)
[1717.152399][T16063] ? __die
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:421
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/kernel/dumpstack.c:434)
[1717.153004][T16063] ? page_fault_oops
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:711)
[1717.153756][T16063] ? hfs_find_init
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/bfind.c:21)
[1717.154485][T16063] ? is_prefetch.constprop.0
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:171)
[1717.155318][T16063] ? kernelmode_fixup_or_oops.constprop.0
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:738)
[1717.156264][T16063] ? __bad_area_nosemaphore
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:787)
[1717.157133][T16063] ? find_vma
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/mm/mmap.c:968)
[1717.157795][T16063] ? bad_area_nosemaphore
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:835)
[1717.158598][T16063] ? exc_page_fault
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:1448
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:1481
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/mm/fault.c:1539)
[1717.159356][T16063] ? asm_exc_page_fault
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/./arch/x86/include/asm/idtentry.h:623)
[1717.160156][T16063] ? hfs_ext_read_extent
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/extent.c:196
(discriminator 1))
[1717.160959][T16063] ? hfs_find_init
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/bfind.c:21)
[1717.161722][T16063] ? hfs_find_init
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/bfind.c:19)
[1717.162442][T16063] hfs_ext_read_extent
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/extent.c:201)
[1717.163230][T16063] ? __sanitizer_cov_trace_const_cmp1
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kcov.c:302)
[1717.164225][T16063] ? __sanitizer_cov_trace_const_cmp4
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kcov.c:316)
[1717.165186][T16063] hfs_get_block
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/extent.c:367)
[1717.165961][T16063] block_read_full_folio
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/buffer.c:2402
(discriminator 3))
[1717.166799][T16063] ? __pfx_hfs_get_block
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/extent.c:338)
[1717.167608][T16063] ? __pfx_hfs_read_folio
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/inode.c:33)
[1717.168420][T16063] hfs_read_folio
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/inode.c:35)
[1717.169111][T16063] filemap_read_folio
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/mm/filemap.c:2367)
[1717.169867][T16063] do_read_cache_folio
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/mm/filemap.c:3826)
[1717.170658][T16063] ? __pfx_hfs_read_folio
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/inode.c:33)
[1717.171463][T16063] read_cache_page
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/mm/filemap.c:3892
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/mm/filemap.c:3900)
[1717.172185][T16063] hfs_btree_open
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/btree.c:79)
[1717.172923][T16063] ? __bread_gfp
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/buffer.c:1496)
[1717.173609][T16063] hfs_mdb_get
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/mdb.c:199)
[1717.174275][T16063] hfs_fill_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/super.c:408)
[1717.175009][T16063] ? __sanitizer_cov_trace_cmp4
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kcov.c:289)
[1717.175887][T16063] ? __sanitizer_cov_trace_const_cmp4
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/kernel/kcov.c:316)
[1717.176832][T16063] ? sb_set_blocksize
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/block/bdev.c:189)
[1717.177615][T16063] ? setup_bdev_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1595)
[1717.178363][T16063] ? __pfx_hfs_fill_super
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/super.c:380)
[1717.179175][T16063] mount_bdev
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1680)
[1717.179859][T16063] hfs_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/super.c:458)
[1717.180477][T16063] legacy_get_tree
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/fs_context.c:664)
[1717.181166][T16063] vfs_get_tree
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/super.c:1801)
[1717.181861][T16063] path_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3508
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3834)
[1717.182563][T16063] __x64_sys_mount
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:3848
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:4055
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:4032
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/namespace.c:4032)
[1717.183282][T16063] x64_sys_call
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/syscall_64.c:36)
[1717.184009][T16063] do_syscall_64
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/common.c:52
/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/common.c:83)
[1717.184714][T16063] entry_SYSCALL_64_after_hwframe
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/arch/x86/entry/entry_64.S:130)
[ 1717.185613][T16063] RIP: 0033:0x7fe81479e49e
[ 1717.186289][T16063] Code: 48 c7 c0 ff ff ff ff eb aa e8 5e 20 00 00
66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 f3 0f 1e fa 49 89 ca b8 a5
00 00 00 0f 05 <48> 3d 01 f0 ff ff 78
All code
========
0: 48 c7 c0 ff ff ff ff mov $0xffffffffffffffff,%rax
7: eb aa jmp 0xffffffffffffffb3
9: e8 5e 20 00 00 call 0x206c
e: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
15: 00 00 00
18: 0f 1f 40 00 nopl 0x0(%rax)
1c: f3 0f 1e fa endbr64
20: 49 89 ca mov %rcx,%r10
23: b8 a5 00 00 00 mov $0xa5,%eax
28: 0f 05 syscall
2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction
30: 78 .byte 0x78

Code starting with the faulting instruction
===========================================
0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax
6: 78 .byte 0x78
[ 1717.189219][T16063] RSP: 002b:00007fe8154fcda8 EFLAGS: 00000246
ORIG_RAX: 00000000000000a5
[ 1717.190532][T16063] RAX: ffffffffffffffda RBX: 000000000000025c
RCX: 00007fe81479e49e
[ 1717.191730][T16063] RDX: 0000000020000240 RSI: 0000000020000040
RDI: 00007fe8154fce00
[ 1717.192929][T16063] RBP: 00007fe8154fce40 R08: 00007fe8154fce40
R09: 0000000003008800
[ 1717.194148][T16063] R10: 0000000003008800 R11: 0000000000000246
R12: 0000000020000240
[ 1717.195323][T16063] R13: 0000000020000040 R14: 00007fe8154fce00
R15: 0000000020000000
[ 1717.196566][T16063] </TASK>
[ 1717.197034][T16063] Modules linked in:
[ 1717.197632][T16063] CR2: 0000000000000040
[ 1717.198347][T16063] ---[ end trace 0000000000000000 ]---
[1717.199218][T16063] RIP: 0010:hfs_find_init
(/data/ghui/docker_data/linux_kernel/upstream/linux_v6.11/fs/hfs/bfind.c:21)
[ 1717.200018][T16063] Code: 0f 1f 00 55 48 89 e5 41 55 41 54 49 89 f4
53 48 89 fb e8 58 43 9f ff 49 89 5c 24 10 be c0 0c 00 00 49 c7 44 24
18 00 00 00 00 <8b> 43 40 8d 7c 00 09
All code
========
0: 0f 1f 00 nopl (%rax)
3: 55 push %rbp
4: 48 89 e5 mov %rsp,%rbp
7: 41 55 push %r13
9: 41 54 push %r12
b: 49 89 f4 mov %rsi,%r12
e: 53 push %rbx
f: 48 89 fb mov %rdi,%rbx
12: e8 58 43 9f ff call 0xffffffffff9f436f
17: 49 89 5c 24 10 mov %rbx,0x10(%r12)
1c: be c0 0c 00 00 mov $0xcc0,%esi
21: 49 c7 44 24 18 00 00 movq $0x0,0x18(%r12)
28: 00 00
2a:* 8b 43 40 mov 0x40(%rbx),%eax <-- trapping instruction
2d: 8d 7c 00 09 lea 0x9(%rax,%rax,1),%edi

Code starting with the faulting instruction
===========================================
0: 8b 43 40 mov 0x40(%rbx),%eax
3: 8d 7c 00 09 lea 0x9(%rax,%rax,1),%edi
[ 1717.202999][T16063] RSP: 0018:ffff888125713978 EFLAGS: 00010293
[ 1717.203929][T16063] RAX: 0000000000000000 RBX: 0000000000000000
RCX: ffffffff81960dd1
[ 1717.205136][T16063] RDX: ffff888109814ec0 RSI: 0000000000000cc0
RDI: 0000000000000000
[ 1717.206351][T16063] RBP: ffff888125713990 R08: ffff888125713988
R09: 0000000000000000
[ 1717.207566][T16063] R10: 0000000000000000 R11: 0000000000000000
R12: ffff8881257139a8
[ 1717.208763][T16063] R13: 0000000000000000 R14: 0000000000000000
R15: 0000000000000004
[ 1717.210026][T16063] FS: 00007fe8154fd640(0000)
GS:ffff88813bb00000(0000) knlGS:0000000000000000
[ 1717.211367][T16063] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1717.212372][T16063] CR2: 0000000000000040 CR3: 000000011a2a2000
CR4: 00000000000006f0
[ 1717.213617][T16063] Kernel panic - not syncing: Fatal exception
[ 1717.214884][T16063] Kernel Offset: disabled
[ 1717.215464][T16063] Rebooting in 86400 seconds..